Monday, December 19, 2005

The Code Map Password Method

Having multiple bank accounts online is becoming more common. In addition to bank accounts, many people may have multiple brokerage accounts and credit card accounts. Any online account that involves money needs to be carefully protected. One of the important tasks of protecting online accounts is to safely manage your passwords. This requires the following:

1. Passwords should not be writen down or recorded in a file

2. Each password should be unique and random compared with those used at other places

3. Passwords are regularly changed with new unique and random characters

This password management becomes difficult as you acquire more and more online accounts. If you strictly follow these rules, you'll likely be forgeting passwords every week.

Password Method

I've come across a password method that can help. It's a method that was decribed in this slashdot thread. The method involves giving each account a 4-to-6 letter code. This code can be an easy to remember name. Each character of this code maps to a random 2-character string. After each character is mapped, you have a new password that is random and twice the number of characters as your code word. An example makes this much more understandable.

Suppose you use the code word of "bank" and you use the following code word mapping:

With this method, all you need to do is to come up with simple code words for each online account that you can easily remember. Then you generate a random code map and print it out. Any time you need your password, you just apply your code word to the map.

This method allows you to meet the three password rules:

1. Passwords should not be writen down or recorded in a file

You don't have the passwords printed, just the code map table. If someone steals the code map table, it can't be used without your code words.

2. Each password should be unique and random compared with those used at other places

If each online account has a different code word, each will map to a password that will be very different than the others.

3. Passwords are regularly changed with new unique and random codes

To come up with new unique passwords only requires generation of a new code map table. Your code words that you remember can remain the same.

My Code Map Generator Program

The person who described this method in the slashdot thread said he wrote a perl program to generate the code map. I thought I could write a similar program that would be accessible from the web. So I created one using javascript. In addition to being accessible from the web, javascript programs are executed locally on your browser. Thus, when you generate the code map table, it's listed on your browser. Nothing gets recorded at the server. This makes this program intrinsically safe to use.

Code Map Generator Steps

Here is a list of steps to implement this password method with this code-map generator tool.

1. Select the left button to create the codes. A new window will open up containing 3 code-map tables. All 3 tables are identical. Every time the button is select, new random codes are generated that are different than previous runs.

2. Print out the code map table. Cut out the three tables. One can be carried in your wallet. The other two can be kept in a safe place. An easy way to protect the paper is to attach the paper to a business card with clear plastic tape. The tape can provide a crude laminate over the paper.

3. Close the code-map table window. It would be a good idea to clear out your browser cache so there is no chance of someone else seeing the codes.

4. Once you have your code-map generator, you now have to come up with code words for each online account. I would recommend code words more complex than "bank". One method might be to use the first three letters of the financial institution name combined with the first two letters of your name.

5. Record your online accounts with the corresponding login names and these code words into a secure file or onto paper. Since these will not be changing, you can keep this in your safe deposit box or in other secure locations.

6. Login into your accounts and change the passwords.

7. To change passwords in the future, just generate a new code-map table and redo the password changing process at each account.

Accounts With Password Rules

Some accounts require passwords to have at least one upper case letter and one number. EmigrantDirect's online account system is one example. The code map strings are randomly chosen between upper case, lower case, and numbers. There could be a chance that all of the characters of your code word map to a string with only lower case letters. However, I have designed a method to overcome this potential problem.

If you have an account that requires passwords to have at least one upper case letter and one number, make sure you include at least one vowel in your code word (a, e, i, o, u and y).

My program requires all vowels to map to a string with one numeral and one upper case letter. Thus, if you include a vowel in your code word, there's no chance that the password will not meet the account's requirement.

If you have an account that requires passwords to have at least one upper case letter, one number AND one lower case letter, make sure you include at least one vowel and one number in your code word.

I've constrained the numbers to map to a 2-character string that will include at least one lower case letter. For example, if your code word has two vowels and two consonants, it may be possible that the two consonants won't include a lower case letter. If you include a one-digit number in your code word, you'll be guaranteed to have at least one lower case letter.

If you have an account that requires passwords to have at least one punctuation mark, you're going to have to work around this issue with my tool.

I didn't want to include punctuation marks in the strings since many places only allow letters and numerals. One way to handle this is to include a vowel in your code word. Then change the number in the vowel to a fixed punctuation marke (like a $).

Due to these constraints, the randomness of the code map is not ideal. Another thing that reduces the randomness of the code map generator is excluding a few letters and numerals that look very similar to other letters or numerals. For example, I exclude a zero and the letter "O" from being included in the string.

Drawbacks

This password method isn't perfect. Here are some drawbacks that you should consider:

You always need the paper with the code map. It's very difficult to remember without the code map. If you lose all the code map tables, you have to reset the passwords to all of the online accounts. That's why the tool generates three tables and not just one. It's important to keep these in safe and secure places.

If you don't change all the passwords at once, you might need mulitple code map tables. If you only have one account that requires periodic changes, you might be tempted not to change the others. That's why I include the date on the table to help differentiate multiple tables.

Other Password Methods

As discussed in that slashdot thread, there are many other password methods that can be used. There are programs which can encrypt all of your password information. Then you only need to remember one password to see the passwords of all of your accounts. Account agregation services like Yodlee provide a similar service.

My concern with this method is that if that main password is compromised, then all of your other passwords can get compromised.

Another technique is an acronym method as described in this article. The problem with this is that it's difficult to regularly change the passwords to all of your accounts.

User Agreement

As with any software, I'm sure this program isn't bug free. It may not work perfectly in some browsers. Also, there could be issues with the randomness of the codes. The basic tests that I've done don't show a problem, but there are likely to be issues. Feel free to leave comments if you find any problems. I'll release new versions to fix bugs as best I can. The theory behind this password method seems intrinsically safe. Nothing is kept on the server so there is nothing to steal. However, I can't guarantee that there will not be issues.

14 Comments:

I think you ought to make it so you can remember your seed value. Then make a little 'blank' so you can put in your code word, like bank. Then if you were really feeling ambitious, put the darned thing in a toolbar in Firefox!

I love Roboform. Never have used keypass. Roboform is elegant, works great and makes filling out purchase forms a breeze to boot. I use Roboform2go so its on my thumbdrive. The beauty of it is that I can avoid anybody "resetting" my passwords by answering stupid security questions because the answers to my security questions are long strings of randomly generated characters, like my username and password. Result: People don't know my username; if they know my username they can't answer my security questions to reset my password. Downside -- without roboform I can't log on to my accounts. Indeed, i don't even know my own username.

About

Having trouble keeping your passwords secure? And remembering them all? I've put together a simple method and tool to help.
Questions? Send email to bankdeals at gmail dot com

Run the CMP Tool

Version 1.1 - Note, a new window will open when button is clicked.

Previous

Privacy Policy

This site does not collect identity or contact information from internet users to this website. This site may however, collect non-personally identifiable information, for example, browser type, operating system, time spent on the web site, or referring link. This is done via a counter by sites like Google Analytics.

This site also uses third-party advertisements. Some of these advertisers may use technology such as cookies and web beacons when they advertise on our site, which will also send these advertisers (such as Google through the Google AdSense program) information including your IP address, your ISP , the browser you used to visit our site, and in some cases, whether you have Flash installed. This is generally used for geotargeting purposes (showing New York real estate ads to someone in New York, for example) or showing certain ads based on specific sites visited (such as showing cooking ads to someone who frequents cooking sites).

DoubleClick DART cookies - This website also may use DART cookies for ad serving through Google’s DoubleClick, which places a cookie on your computer when you are browsing the web and visit a site using DoubleClick advertising (including some Google AdSense advertisements). This cookie is used to serve ads specific to you and your interests (interest based targeting). The ads served will be targeted based on your previous browsing history. DART uses 'non personally identifiable information'. It does NOT track personal information about you, such as your name, email address, physical address, telephone number, social security numbers, bank account numbers or credit card numbers. You can opt out of the use of the DART cookie by visiting the Google ad and content network privacy policy.

Third party sites and advertisers have their own policies regarding the collection of personal information. As a visitor to this site, you agree that it is your responsibility to make yourself aware of these third party privacy policies. This site will never intentionally engage in spamming. We respect your right to privacy. Privacy policy subject to change.